DFIR-02 : Journal Forensics
Using $LogFile and $UsnJrnl during digital investigations
Windows NTFS uses a journaling technique that records a sequence of file changes in the $LogFile. Windows does a good job at maintaining data consistency after critical failures that cause the system to shut down unexpectedly. Specifically, NTFS logs file transactions when:
- Creating a file
- Deleting a file
- Extending a file
- Truncating a file
- Setting file information
- Renaming a file
- Change the security applied to a file
The previously analyzed $MFT file keeps a $LogFile Transaction entry at offset 08 to 15 and this is how MFT correlates with other metadata attributes in the NTFS file system.
$MFT $LogFile Transaction Entry
From a forensics' perspective these records are valuable when it comes to creating a timeline of transactions.
- Tracks file and directories changed on the system via the USN (Update Sequence Number) journal.
- Available in the root directory under $Extend folder.
- Contains two ADS (alternate data stream) :
- $Max : Where the meta data of change log is stored
- $J : Where the actual change log records are stored.
- Track changes to MFT metadata.
- Available at the root directory.
In order to parse these journals here are some great free tools :